Fed agencies look to encourage use of ethical hacking in healthcare

A Department of Defense initiative used 1,400 hackers to find network vulnerabilities, and officials say it’s time to let healthcare organizations try similar approaches.


The healthcare industry is a prime candidate to benefit from ethical hacking, a concept that could help bolster the cybersecurity of provider organizations and payers.

That’s the opinion of Lucia Savage, chief privacy officer in the Office of the National Coordinator for Health IT, who believes ethical hacking could help probe cyber defenses to identify weaknesses,.

Ethical hackers are computer and networking experts who attempt to penetrate information systems on behalf of its owners to find security vulnerabilities that a malicious hacker could potentially exploit.

According to Savage, the Department of Defense recently held a first-ever “Hack the Pentagon” event that attracted 1,400 participating hackers. They uncovered nearly 140 previously unknown vulnerabilities in public DoD websites, paying those who uncovered the bugs in the systems for their services. “This is a technique that has been found highly valuable,” she says.

She told a June 23 joint Health IT Policy-Standards Committee meeting that Defense Secretary Ash Carter was impressed by the pilot initiative targeting the military’s websites. She quoted him as saying that ethical hacking has helped the Pentagon to be more secure and at a fraction of the cost that it takes for the DoD to ascertain their cyber vulnerabilities on its own.

While Savage noted that the healthcare industry has special rules about the data that hacking might occur in, and that hackers accessing live data “might cause other problems relative to your obligations to keep that data confidential,” such as in electronic health records, she nonetheless asked the federal advisory committees, “If ethically hacking the Pentagon is helpful, how could this help security in the healthcare sector? Why does this not occur more?”

Given the need to improve cybersecurity, Savage revealed to the group that ONC is studying the issue of how the agency can accelerate the rate at which ethical hacking occurs in healthcare. “We are all in this together, and we have to figure it out,” she added. “I have no idea at the end of the day if we facilitate more ethical hacking in healthcare whether it will be happening at hospitals or in some lab where the data’s not live. I don’t really have an answer for that today. That’s exactly the kind of thing we’re thinking about.”

Dale Nordenberg, MD, a member of the Health IT Standards Committee and CEO of Novasano Health and Science, said that it was exciting to hear that ethical hacking is being considered in healthcare. However, he warned that “there’s a lot of caution around stepping into the domain of ethical hacking,” particularly as it relates to medical devices.

“Because it’s a regulated device, it’s not possible—as in the case for managed IT products, like a computer—to fix or patch a vulnerability at will,” Nordenberg said. “The issue is that once a vulnerability is identified, the industry is highly resistant to exposing the public to that specific vulnerability, because the manufacturer has to get engaged and be a part of assessing whether or not this is an important vulnerability and what the solution would be for all of its devices.”

In July 2015, the Food and Drug Administration alerted users that a computerized infusion pump, which communicates with hospital information systems via a wired or wireless connection over facility network infrastructures, has serious cybersecurity vulnerabilities that could put patient safety at risk. Consequently, the FDA advised healthcare facilities to disconnect the pumps from their networks to reduce the risk of unauthorized system access.

And in September 2015, the Federal Bureau of Investigation issued an alert warning about the cybersecurity risks that networked medical devices pose to patients. According to the FBI, Internet of Things (IoT) devices, which connect to the web automatically sending and receiving data, including medical devices such as wireless heart monitors and insulin dispensers, pose a potential threat to patient health, because hackers could change the coding controlling the dispensing of medicines.

According to Nordenberg, co-founder and executive director of the Medical Device Innovation, Safety and Security Consortium, “pretty much every medical device out there is hackable.”

Savage replied that “we really have the Internet of Things in healthcare, and we have to not think about devices independent from the EHRs and from the patient’s actual life—it all runs together, which was, in fact, the point of improving the digitization of health in the system—but now we have some spillover effects that we also have to solve.” At the same time, she emphasized that the FDA—not ONC—is charged with the safety and effectiveness of medical devices.

However, Nordenberg countered that there are “jurisdictional chasms” between the agencies. “Everybody looks to the FDA to solve the problem, but the FDA really only has regulatory domain over the devices. Once they get implemented at a hospital, now you’re in the domain of the accreditors.”

Savage also told the federal advisory committees that there are several healthcare-specific provisions in the Cyber Information Sharing Act of 2016, part of the budget Congress passed in January, which will affect the industry.

According to Savage, among CISA’s directives is that the Health and Human Services Secretary develop a report for Congress that describes what HHS is doing to secure its own information systems, and that a task force of industry stakeholders be convened to develop best practices for improved cyber threat sharing in the healthcare industry.

“This is a concept that I describe to lay people as a neighborhood watch for cybersecurity,” she said. “The task for this task force is to look at what other industries are doing and figure out how those things can be leveraged to improve cyber threat sharing in healthcare.”

The ONC chief privacy officer said that while there is cyber threat sharing in healthcare it has less coordination among provider and health payer organizations and is “less developed” than other industries, most notably energy and finance. Savage said the task force, which started meeting in March, is “well underway” and meets publicly once a quarter. The body will produce a report in the first quarter of calendar year 2017, she added.

More for you

Loading data for hdm_tax_topic #care-team-experience...